URI from x509 certificate is not correctly read by QtopcUa module
-
Hello,
I’m using Qtopcua module to establish encryptet connection with Opc Ua server. Certifcate which I’m, using works fine for Windows, Linux and Android, but when I’m switching on MacOS or iOs, the part:
QOpcUaPkiConfiguration m_pkiConfig; m_pkiConfig.setClientCertificateFile(pkidir + "/opcuaviewer.der"); m_pkiConfig.setPrivateKeyFile(pkidir + "/opcuaviewer.key"); auto m_identity = m_pkiConfig.applicationIdentity();
Cause warning form qtopcua module:
[qt.opcua.security] URI string from certificate has unexpected format: "" Application identity will be invalid.
And connection could not be established because of missing URI in extension. After debugging QtOpcua module I found that there is correct count of extensions (5), and there is an extension with correct name "subjectAltName". So far, so good, but when calling method „toMap()” in "applicationIdentity()", returned map is empty.
\qtopcua\src\opcua\client\qopcuapkiconfiguration.cpp
QOpcUaApplicationIdentity QOpcUaPkiConfiguration::applicationIdentity() { ... auto extensions = certList[0].extensions(); for (const auto extension : qAsConst(extensions)) { if (extension.name() == QLatin1String("subjectAltName")) { // OID: 2.5.29.17 const auto value = extension.value().toMap();
Funny thing that I can successful use method „toString()” on this QVariant but only on MacOs and iOS. So on Windows looks like QVariant "subjectAltName" is QMap (which is correct) and on Apple system somehow it is QString. Module uses method „toMap()” so it should be a correct way.
I have updated Qt and qtopcua (15.1) and download newest version of mbedtls, but it does not help. I have checked DER certificate with Openssl and it looks fine, all extensions included (the same one works fine on other's systems so it should be).
X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: email:my@other.address, URI:http://my.url.here/ X509v3 Subject Key Identifier: EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF X509v3 Authority Key Identifier: keyid:EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF DirName: serial:01
Did somebody ever, faced similar issue?
-
We're facing the same problem, depending how the certificates are been created and fixed it using the following code.
QOpcUaApplicationIdentity QOpcUaPkiConfiguration::applicationIdentity() const { ... if (extension.name() == QLatin1String("subjectAltName")) { // OID: 2.5.29.17 QString uri; const QMap<QString, QVariant> valueMap = extension.value().toMap(); if(valueMap.count()>0) { uri = valueMap[QLatin1String("URI")].toString(); } else { QByteArray valBytes = extension.value().toByteArray(); qsizetype urnStartInd = valBytes.indexOf(QStringLiteral("urn:").toUtf8()); //TODO[QT6]: use QByteArrayView here in QT6 qsizetype urnEndInd = (urnStartInd < 0) ? -1 : valBytes.indexOf('0x82', urnStartInd); if(urnStartInd != -1) { uri = valBytes.mid(urnStartInd, (urnEndInd < 0) ? -1 : urnEndInd-urnStartInd); } } const QStringList token = uri.split(':', QString::SkipEmptyParts);